Jump to content

Archived

This topic is now archived and is closed to further replies.

DarkHavn

Adding encryption to a website.

Recommended Posts

Was just wondering your regards and feedback on this one.

Things like ssl on a webpage, 128bit encryption on websites that handle sensitive data like credit card numbers and such.

Do you guys prefer, or recomend anything?

Should i rely on php for this, or something else?

Just thought i would get some feedback on this before i go ahead with anything.

Cheers

Share this post


Link to post
Share on other sites
Lol, sorry should of been more descriptive of what i was meaning, Yeah ssl is apart of the server that is running apache or depending on your flavour.

Guess what i was truley meaning is, is there any means or methods you guys recomend of encryption via php if that is possible at all?

Share this post


Link to post
Share on other sites
I am suprised that this has not be posted before. Normaly when it comes to a question in reguards to security, of any kind, there are a thousand posts.

There are a couple ways of encrypting the sensitive data. here is an example function that would encrypt the data before passing it to a database.

[code]
<?php
$cc_number = "0000000000000000";

function encryptData($data) {
      $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
      $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
      $key = "your_key";

      $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
      return $crypttext;
}

$encypted_cc = encryptData($cc_number);

// now you can pass the encrypted data to the db


// and here is a function for decrypting the data.

fuction decryptData($data) {
       $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
       $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
       $key = "your_key";
       $decrypted_data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
       return $decrypted_data;
}

//here is a simple sql call to get the encrypted cc number
$sql = mysql_query("SELECT * FROM `your_table` WHERE `something` = '$something'");

while ($rw = mysql_fetch_assoc($sql)) {
     $cc_number = decyptData($rw['cc_number']);
}
?>
[/code]

Now as far as the key goes. I randomly generate a key and then on a couple of random days each month I decrypt all of the encrypted data in the db and then encypt it again with a new random key. I then store the key in another function.

This may be over kill but what the hell, I am responsible for that data. So I will try my best to secure it to the best of my ability.

I hope that this helps.

If anyone has any suggestions on a better way to encrypt the data or a fault in my script, please feel free to reply.

Thanks,
Tom

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.